OpenSSL vulnerability CVE-2021-3449/CVE-2021-3450
BWC Cybersecurity Overlord ✭✭✭
considering the fact that the SMA 100-series is running OpenSSL 1.1.1i, what is the impact of the two new high-severity vulnerabilities discovered and fixed in OpenSSL 1.1.1k?
This is not limited to SMA 100-series, every other platform using OpenSSL is affected as well.
When can we expect a patch for all related products?
Category: Secure Mobile Access Appliances
Hey! You will be signed out in 60 seconds due to inactivity. Click here to continue using the site.
Is disabling TLS v1.2 and having only TLS v1.3 a valid mitigation until a fixed Firmware is available, because it seems to be TLS v1.2 related?
How to follow this advice SNWL?
Checking on this.
@micah - SonicWall's Self-Service Sr. Manager
Hello, Any reply on these advisories please? been 3 days since last update
Hello, please find comments for anyone interested after support case logged with SonicWALL for SMA series..
From SonicWall Technical support. I have taken the ownership of your case. The High severity OpenSSL vulnerabilities: CVE-2021-3450, CVE-2021-3449 will be fixed in upcoming firmware releases : 10.2.0.8, 10.2.1.0-12sv Thank you
Subsequently have re-requested additional answers to original support case comments regards timescales of release and any mitigating actions which can be configured pre firmware release.
Thanks @JohnStevo for the information and clearing this up with Support. Noone at SNWL saw the need to chime in here.
Let's sit back, wait and hope for the best.
Because still nothing from SNWL, it seems that disabling TLSv1.2 as I mentioned before is a short term Mitigation?
@BWC We have received an update of a workaround from SonicWALL bizarrely from the GMS team (to whom we asked the same question regards OpenSSL) but relating to the SMA's..
- OpenSSL vulnerabilities: CVE-2021-3450, CVE-2021-3449 will be fixed in upcoming firmware releases: 10.2.0.8, 10.2.1.0-12sv… -disabling TLS v1.2 and only having TLSv1.3 is a workaround for now and be sure to reboot after the change
Hope this helps..
It made it to the SNWL Security Blog 👏
@Micah still checking?
Just checking, anything new on this?
The Private build I've got for my Radius thingy already contains OpenSSL 1.1.1k, so it's in the works. @Micah , in case someone asks.
Next stop, dedusting the rest of the system. <fingerscrossed> 🤣